Mermaid Improper Sanitization of Architecture Diagram Icons Leading to Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Mermaid versions through 11.9.0. In the default configuration, user-supplied input for architecture diagram icons is not properly sanitized before being passed to the D3 'html()' method. This oversight creates an opportunity for malicious users to inject arbitrary HTML, which can be executed as JavaScript, potentially leading to XSS attacks. The vulnerability was introduced in version 11.1.0 and has been fixed in version 11.10.0.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an architecture diagram in Mermaid version 11.9.0 or earlier. Include a service with an 'iconText' value that contains HTML, such as an image tag with an 'onerror' event. When the diagram is rendered, the injected HTML will be executed, demonstrating the XSS vulnerability.

Remediation

Users can update to Mermaid version 11.10.0 or later, where this vulnerability has been fixed.